Techniques for prevent information disclosure via dynamic secure cloud resources

ABSTRACT

Techniques for preventing information disclosure via dynamic secure cloud resources are provided. Data (information) remotely housed on a particular cloud resource of a particular cloud is periodically, randomly, and dynamically changed to a different cloud resource within the same cloud or to a different cloud resource within an entirely different cloud. A requesting principal for the data is dynamically authenticated and a current location for the data is dynamically resolved and the principal is securely and dynamically connected to the current cloud resource and current cloud hosting the data for access.

This application is a continuation of U.S. patent application Ser. No. 13/170,527, filed Jun. 28, 2011, which is incorporated herein by reference in its entirety.

BACKGROUND

Cloud computing is rapidly changing the Internet into a collection of clouds, which provide a variety of computing resources, storage resources, and, in the future, a variety of resources that are currently unimagined.

This new level of virtualization should have unbounded the physical and geographical limitations of traditional computing, but this is not yet the case largely in part because of current deficiencies for enterprises in securing, auditing, and controlling their virtualized assets over a network. That is, enterprises have been reluctant to outsource assets to cloud environments because, at least in part, of the perceived risk associated with exposure of confidential assets outsourced to external environments.

For example, a hacker typically collects and looks for vital information that will disclose where important documents, files, or other data are stored. This is typically associated with specific Internet Protocol (IP) addresses, Domain Name System (DNS), communication ports, and file names. Once a hacker discovers this information then he/she can attempt to locate and gain access to the machine for purposes of gaining access to other confidential data.

Therefore, the IP Addresses, DNS, Ports, and file names are all critical information that a company needs to protect and needs to proactively limit access to or knowledge of.

Essentially, the problem with storing critically sensitive data on a network-accessible server is that all an individual needs to know is where to access the server and/or details about the server. So, if a hacker can isolate where the server resides, the hacker can gain access to sensitive data of an enterprise.

SUMMARY

Various embodiments of the invention provide techniques for preventing information disclosure via dynamic secure cloud resources. Specifically, a method for securing network information is presented.

A determination is made that a remotely-housed resource is to be moved from a first machine to a second machine. Next, configuration details are acquired for the second machine and an encryption key is also obtained for the second machine. The remotely-housed resource is moved in an encrypted format, using the encryption key, from the first machine to the second machine and a mapping is updated that maps the remotely-housed resource to the second machine. The mapping originally mapped the remotely-housed resource to the second machine.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of an example architecture for preventing information disclosure via dynamic secure cloud resources, according to the techniques presented herein.

FIG. 2 is a diagram of a method for securing network information, according to an example embodiment.

FIG. 3 is a diagram of another method for securing network information, according to an example embodiment.

FIG. 4 is a diagram of a secure network information access system, according to the techniques presented herein.

DETAILED DESCRIPTION

A “resource” includes a user, service, system, device, directory, data store, groups of users, combinations and/or collections of these things, etc. A “principal” is a specific type of resource, such as an automated service or user that acquires an identity. A designation as to what is a resource and what is a principal can change depending upon the context of any given network transaction. Thus, if one resource attempts to access another resource, the actor of the transaction may be viewed as a principal.

An “identity” is something that is formulated from one or more identifiers and secrets that provide a statement of roles and/or permissions that the identity has in relation to resources. An “identifier” is information, which may be private and permits an identity to be formed, and some portions of an identifier may be public information, such as a user identifier, name, etc. Some examples of identifiers include social security number (SSN), user identifier and password pair, account number, retina scan, fingerprint, face scan, etc.

A “workload” as used herein refers to a special type of resource, such as a Virtual Machine (VM), an Operating System (OS), a hardware device, an agent, and/or an application.

A “processing environment” defines a set of cooperating computing resources, such as machines (processor and memory-enabled devices), storage, software libraries, software systems, etc. that form a logical computing infrastructure. A “logical computing infrastructure” means that computing resources can be geographically distributed across a network, such as the Internet. So, one computing resource at network site X and be logically combined with another computing resource at network site Y to form a logical processing environment.

The phrases “processing environment,” “cloud processing environment,” and the term “cloud” may be used interchangeably and synonymously herein.

Moreover, it is noted that a “cloud” refers to a logical and/or physical processing environment as discussed above.

Various embodiments of this invention can be implemented in existing network architectures. For example, in some embodiments, the techniques presented herein are implemented in whole or in part in the Novell® operating system products, directory-based products, cloud-computing-based products, and other products distributed by Novell®, Inc., of Waltham, Mass.

Also, the techniques presented herein are implemented in machines, such as processor or processor-enabled devices. These machines are configured to specifically perform the processing of the methods and systems presented herein. Moreover, the methods and systems are implemented and reside within a non-transitory computer-readable storage media or machine-readable storage medium and are processed on the machines configured to perform the methods.

Of course, the embodiments of the invention can be implemented in a variety of architectural platforms, devices, operating and server systems, and/or applications. Any particular architectural layout or implementation presented herein is provided for purposes of illustration and comprehension only and is not intended to limit aspects of the invention.

It is within this context that embodiments of the invention are now discussed within the context of the FIGS. 1-4.

FIG. 1 is a diagram of an example architecture for preventing information disclosure via dynamic secure cloud resources, according to the techniques presented herein. It is noted that the FIG. 1 is presented for purposes of illustration and comprehension. It is to be understood that other architectural arrangements can be used to achieve the teachings presented herein and below.

The components of the FIG. 1 are implemented in non-transitory and processor-readable storage medium and are executed on physical processors on one or more networks. Each processor specifically configured to execute the components.

The FIG. 1 is presented with reference to a specific example situation that an enterprise utilizing cloud environments can encounter. The example is presented for purposes of illustration only as other situations can occur as well and still benefit from the techniques presented herein and below.

In the context of the discussion with respect to the FIG. 1, consider that a user (X) wants to access a very secure document. The secure document is stored on a server but X has no idea where the server is. X does not know the IP address, DNS, communication port, or even file name of the secure document. All X knows is that he/she needs to access the secure document.

X pulls up a Secure Entry Handler application (A in the FIG. 1). This is a highly-secure application that has been installed on X's laptop (or other processor-enabled device of X). X inputs credentials to gain access to the Secure Entry Handler. The credentials are validated via an identity service (B in the FIG. 1). The evaluation of one or more policies also occurs, at B, to determine if X has access to the secure document and to determine what other types of documents X can access. X is then presented with a listing of document descriptions that X currently has access to.

In another case, access to the Secure Service Agent (F in the FIG. 1) or the Secure Connection Router (C in the FIG. 1) can be dynamic (bypassing the Secure Entry Handler—not show in the FIG. 1), such as via an encrypted routing token having: the IP address for the machine of the Secure Service Agent or Secure Connection Router, the IP address for the machine of X, and an identity for X. This token can be used for establishing a secure dynamic connection from X's machine to the Secure Service Agent's machine or the Secure Connection Router's machine.

Once a secure document is selected by X, a secure request is issued to the Secure Connection Router (C in the FIG. 1). This Secure Connection Router consults a Mapping-Identifiers listing (D in the FIG. 1). This extracts the current IP address, DNS, port number, and/or file name, and what key to use to connect with the hosting machine that presently has the secure document that X wants access to.

The Secure Connection Router then establishes a connection to that VM's Secure Service Agent (F in the FIG. 1) and gains access to the secure document that is being hosted on the Server (G in the FIG. 1).

It is noted that the secure document is currently being hosted on G (in the FIG. 1) and that the previous VM's that were hosting the secure document are on VM H (in the FIG. 1). So, previously the secure document was hosted on a different VM and within a same Cloud Network, but there are also instances (as noted in the FIG. 1) of other VM's in other Cloud Networks that have previously hosted the secure document.

Thus far, the discussion above has dealt with the end user's side of accessing the secure document. A description associated with the dynamic changing of the hosting VM's for the secure document is now presented.

There is a Rehandler Service (I in the FIG. 1) that checks the Policy (J in the FIG. 1) associated with the secure document. The Policy lists how often to change the location of the VM and where the secure document is stored at on a current VM being used. The policy itself can also be randomized. Randomization of the policy can be: time based, event based, and/or triggered on some other configured aspects to determine when re-handling needs to occur. When a situation, according to policy evaluation, occurs the Rehandler service determines if a new Cloud Network needs to be used and what other aspects need to change.

Additionally all the data points can be randomized, such as, a random name, a random IP address, and a random network; each of which is currently not in use.

For example, consider a situation where all data points are to be changed. The Rehandler Service contacts the Cloud Provisioner (L in the FIG. 1) to establish a new Cloud Network with: a new VM, a new port, and a new filename for the secure document. All of these data points are randomized and not part of any other existing VM's within the cloud's infrastructure. The Cloud Provisioner then clones a new VM from a secure template (M in the FIG. 1) and deploys the new VM within the new cloud network. The cloud network can be an entirely different private or public cloud, or can be a new 10.x.x.x type of network. The Cloud Provisioner creates the new VM and installs the Secure Service Agent running on the specified new port number with a new key.

Optionally, instead of using the Secure Service Agent, the IP address of the current hosting VM for the secure document along with the DNS and file name can be combined with an identity for X and an IP address for X's machine to form an encrypted token. The token facilitates direct and dynamic access to the current hosting machine.

Now that a new VM is operational for hosting the secure document, the Rehandler Service notifies the new VM that a new key needs to be generated. The new VM (K in the FIG. 1) generates a new public/private key pair. The new VM returns the public key to be stored in the Key Storage (E in the FIG. 1).

The Current VM (G in the FIG. 1) is notified that the current VM is up for de-commissioning or de-hosting of the secure document. The Current VM then retrieves the public key of the new VM from Key Storage where the public key is referenced by the Mapping Identifiers. The current VM encrypts the document with the public key and initiates a copy of the encrypted document to the Rehandler Service. The Rehandler Service forwards on the copied encrypted document to the New VM (K in the FIG. 1). Then once the New VM (K in the FIG. 1) has the file, the New VM can initiate a command that it is ready for service to provide the secure document.

Optionally, the Current VM can also copy the file directly to the New VM. For added security; however and in some embodiments as discussed above, the Current VM may have no knowledge of the New VM whatsoever, which is accessed via the Rehandler Service.

The Rehandler Service then updates the Mapping Identifiers (D in the FIG. 1) to the new VM. Once this has occurred, the Rehandler Service removes and destroys the previous VM (G in the FIG. 1). Any new requests for the secure document go directly to the new VM.

The Rehandler service performs the operations discussed above again as soon as the next triggered event happens.

The techniques discussed above and below provide the ability to gain access to highly-sensitive information via a random cloud based server, which has a dynamic and random IP address, listening port, and file name.

Information Disclosure has been a long time problem, which is widely discussed in the industry. The problem is solved herein via dynamic cloud resources, as discussed herein above and below, for purposes of preventing sensitive information disclosure.

FIG. 2 is a diagram of a method 200 for securing network information, according to an example embodiment. The method 200 (hereinafter “cloud-based information manager”) is implemented and resides within a non-transitory computer-readable or processor-readable medium that executes on one or more processors of a network. Moreover, the cloud-based information manager is operational over a network and the network may be wired, wireless, or a combination of wired and wireless.

The cloud-based information manager is presented from the perspective of one or more network or cloud-based services that management movement and access to a secure resource. A secure resource is a resource that has security enforced before access is granted to that resource. The resource may include such things as a file, a document, an image, a video, a graphic illustration, an audio snippet, and the like. In some cases, the secure resource can also include an executable program or plugin that a principal desires to process.

At 210, the cloud-based information manager makes a determination that a remotely-housed resource is to be moved from a first machine to a second machine. The phrase “remotely-housed” is used to convey that the resource is managed over a network, such as but not limited to the Internet. The resource is external or remote from a requesting principal. The principal can be an end-user or an automated application or service being executed on behalf of an end-user. So, the resource is remote from the requesting principal that desires access to that resource.

According to an embodiment, at 211, the cloud-based information manager evaluates policy associated with the remotely-housed resource in order to make the determination that the remotely-housed resource is to be moved from the first machine to the second machine. The policy can include a variety of configured conditions that are dynamically evaluated by the cloud-based information manager based on a number of factors (some of which can be dynamically resolved as well).

Continuing with the embodiment of 211 and at 212, the cloud-based information manager changes conditions for the policy. In some cases, the changed conditions can be randomly generated by the cloud-based information manager and then subsequently used by the cloud-based information manager on different iterations of the processing to determine when to move the remotely-housed resource a second time and to an entirely different machine. In other words, the policy that is used to determine when to move the remotely-housed resource can itself be ever changing and the frequency of the changes as well as the changes themselves can be randomly generated conditions produced by the cloud-based information manager.

So, finding the location for storing the remotely-housed resource can be dynamically resolved based on evaluation of the policy, where the location is the second machine or an identity for the second machine, which permits the location to be resolved.

At 220, the cloud-based information manager acquires configuration details for the second machine. The configuration details can include a variety of metadata associated with creating, identifying, locating, and/or communicating with the second machine.

In an embodiment, at 221, the cloud-based information manager requests the configuration details from a cloud-provisioning service. This scenario was discussed above with respect to the processing of the FIG. 1. In this instance, the second machine is a virtual machine (VM), which is dynamically created and instantiated by the cloud-provisioning service on behalf of the cloud-based information manager.

In another scenario, at 222, the cloud-based information manager generates the configuration details for a newly created VM, which is the second machine or for a workload. The configuration details include a randomly generated IP address and a randomly generated communication port for communicating with the newly created VM or the workload.

Continuing with the embodiment of 222 and at 223, the cloud-based information manager clones the newly created VM from a template. This too was discussed above with respect to the FIG. 1.

At 230, the cloud-based information manager obtains an encryption key for the second machine. The remotely-housed resource is to be stored on the second machine in an encrypted format performed using an encryption key associated with the second machine.

In an embodiment, at 231, the cloud-based information manager requests that the second machine provide a public key from the second machine's private-public key pair. Here, the public key is the encryption key.

At 240, the cloud-based information manager facilitates moving of the remotely-housed resource in an encrypted format using the encryption key. The remotely-housed resource is moved dynamically from the first machine to the second machine. It is noted that the first and second machines can be within the same networked environment (same cloud) or that the first and second machines can each be associated with different networked environments (different clouds).

In an embodiment, at 241, the cloud-based information manager instructs the first machine to communicate with the second machine via the configuration details for purposes of providing the remotely-housed resource in the encrypted format. Here, the cloud-based information manager facilitates creating a secure connection (using encryption and/or encryption communication protocols) between the first machine and the second machine.

In another scenario, at 242, the cloud-based information manager directly communicates with the second machine via the configuration details to provide the remotely-housed resource in the encrypted format. Here, the first machine may, in some instances, be completely unaware of the configuration details and identity of the second machine; rather, the cloud-based information manager or sub-services of the cloud-based information manager are used to provide the remotely-housed resource to a principal of the first machine.

At 250, the cloud-based information manager updates a mapping that maps the remotely-housed resource to the second machine. The mapping originally mapped the remotely-housed resource to the second machine. This mapping can be housed in a repository, such as the one discussed above with respect to the discussion of the FIG. 1. Moreover, one or more sub-services can manage and provide the mapping and updates to the mapping. The mapping is a relation or link between an identity of the remotely-housed resource and a current machine (along with its configuration details) that currently (at the time of request) possesses the remotely-housed resource. So, when the remotely-housed resource is successfully migrated from the first machine to the second machine, the mapping is updated to reflect this change.

In an embodiment, at 251, the cloud-based information manager decommissions the first machine. That is, suppose the first machine was being used to solely manage distribution of the remotely-housed resource, in such a case, the first machine (which may be a VM) is removed, such that access to the first machine is no longer possible over a network connection.

FIG. 3 is a diagram of another method 300 for securing network information, according to an example embodiment. The method 300 (hereinafter “network information manager”) is implemented and resides within a non-transitory computer-readable or processor-readable medium that executes on one or more processors of a network. Moreover, the network information manager is operational over a network and the network may be wired, wireless, or a combination of wired and wireless.

The network information manager presents another and in some cases enhanced perspective of the cloud-based information manager represented by the method 200 of the FIG. 2 and discussed in detail above. Specifically, the management for migration of a secure or remotely-housed resource within one or more networked environments (clouds) is presented as the cloud-based information manager; whereas, the network information manager is presented from the perspective of processing that occurs when a principal requests a secure resource for access.

At 310, the network information manager authenticates a principal (user or automated service acting on behalf of a principal) for access. A variety of authentication mechanisms were presented above with respect to the discussion of the FIG. 1.

For example, at 311, the network information manager consults an identity service for purposes of having the identity service authenticated the principal for access to secure resources being managed by the network information manager.

In an embodiment, at 312, the network information manager presents a list of available secure resources to the principal. The identity of the principal (resolved with authentication) can resolve a role for the principal and resolve a specific policy that is used for evaluation. The role and/or policy identify the types of resources and/or identities for resources that the principal is permitted to access, via the network information manager. These secure resources are presented with descriptive details in a list for the principal to make a selection. Again, this was discussed above with reference to the FIG. 1.

At 320, the network information manager obtains mapping identifiers that map a particular secure resource identity for a particular resource to a current machine or current processing environment that possess the desired secure resource or that is actively distributing the desired secure resource.

According to an embodiment, at 321, the network information manager acquires the mapping identifiers as a current IP address for the current machine, a current communication port for use with the current machine, a domain name system (DNS) used with the current machine, and a file name that identifies the secure resource. This information may also be viewed as the configuration details that were discussed above with reference to the FIG. 2.

In still another situation, at 322, the network information manager acquires a public key for the current machine with the mapping identifiers. Here, and for added security, the secure resource is encrypted with the public key of the current machine.

At 330, the network information manager establishes a connection to the current machine. The principal then acquires the secure resource from the current machine, via the connection. In some cases, the connection is secure (uses an encrypted communication protocol or passes data in an encrypted format).

According to an embodiment, at 331, the network information manager connects a principal machine for the principal with the current machine for a secure communication session. In other words, the principal machine and the current machine directly communicate via the secure communication session independent of the network information manager.

As stated before, in some alternative scenarios to 331, the network information manager or sub-services of the network information manager can act as a proxy to acquire the secure resource from the principal such that the principal machine does not directly communicate with the current machine but rather communicates indirectly via the network information manager.

FIG. 4 is a diagram of a secure network information access system 400, according to the techniques presented herein. The components of the secure network information access system 400 are implemented within and reside within a non-transitory and computer or processor-readable storage medium for purposes of executing on one or more processors of a network. The network may be wired, wireless, or a combination of wired and wireless.

The secure network information access system 400 implements, inter alia, various aspects of the FIG. 1, and the method 200 and the method 300 of the FIGS. 2 and 3, respectively.

The secure network information access system 400 includes a redeployment manager 401 and a secure resource locator 402. Each of these components and their interactions with one another will now be discussed in detail.

The redeployment manager 401 is implemented, resides, and is programmed within a non-transitory processor-readable (computer-readable) medium as instructions that process on one or more processors of a network. Example processing associated with the redeployment manager 401 was presented above with the description of the FIGS. 1-2.

The redeployment manager 401 is configured to regularly move a secure resource from a source machine and source environment to a current machine and current environment based on policy. That is, policy evaluation dictates when the redeployment manager 401 migrates a secure resource from a source machine to a current machine. The policy may also dictate resolving an identity for the current machine or even creation of the current machine (when the current machine is a VM). “Current machine” is a particular machine that at a given point in time when a request is made for the secure resource, the particular machine is in possession and/or is actively capable of distributing or providing access to the secure resource.

According to an embodiment, the redeployment manager 401 is also configured to decommission the source machine and dynamically create the current machine. In this instance both the source machine and the current machine are VMs.

The secure resource locator 402 is implemented, resides, and is programmed within a non-transitory processor-readable (computer-readable) medium as instructions that process on one or more processors of a network. Example processing associated with the secure resource locator 402 was presented above with the description of the FIGS. 1 and 3.

The secure resource locator 402 is configured to locate the secure resource on the current machine on behalf of a requesting principal and facilitate a connection between a machine of the principal and the current machine. The secure resource locator 402 dynamically and in real time resolves a present location for access a secure resource when a principal makes an authorized request for that secure resource. Again, the processing associated with these features was discussed above with reference to the FIGS. 1 and 3.

The above description is illustrative, and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reviewing the above description. The scope of embodiments should therefore be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled. 

1. (canceled)
 2. A method, comprising: authenticating, by a proxy over a network connection, a principal for access to a secure resource; obtaining, by the proxy, mapping identifiers that map a secure resource identity for the secure resource to a current machine that currently has the secure resource; and establishing a secure connection between a client machine of the principal and the current machine for access by the principal to the secure resource.
 3. The method of claim 2, wherein authenticating further includes consulting an identity service to authenticate the principal for access.
 4. The method of claim 2, wherein authenticating further includes presenting a list of available secure resources to the principal, the principal selects the secure resource from the list.
 5. The method of claim 2, wherein obtaining further includes acquiring the mapping identifiers as a current Internet Protocol (IP) address for the current machine, a current communication port for use with the current machine, a domain name system (DNS) used with the current machine, and a file name for the secure resource.
 6. The method of claim 2, wherein obtaining further includes acquiring a public key for the current machine with the mapping identifiers, the secure resource encrypted with the public key on the current machine.
 7. The method of claim 2, wherein establishing further includes connecting the client machine or the principal with the current machine for a secure communication session in an encrypted communication session between the client machine and the current machine.
 8. The method of claim 2, wherein establishing further includes passing an encrypted routing token having an Internet Protocol (IP) address for the current machine to the client machine, the client machine decrypting the encrypted routing token to obtain the IP address and connect to the current machine.
 9. The method of claim 8, wherein passing further includes providing in the encrypted routing token a principal identity and an IP address for the client machine.
 10. The method of claim 2, wherein establishing further includes obtaining a key for connecting to the current machine based on a specific mapping identifier for the current machine.
 11. The method of claim 2, wherein establishing further includes providing the client machine with configuration details for connecting to the current machine.
 12. A method, comprising: presenting, by a proxy server, a list of secure resources to a principal in response to a principal request issued from a client machine operated by the principal over a network connection; receiving, by the proxy server, a selected secure resource from the principal operating the client machine over the network connection; identifying, by the proxy server, a current machine from which the selected secure resource can be accessed using the client machine; and establishing, by the proxy server, a connection between the client machine and the current machine for the principal to access the selected secure resource.
 13. The method of claim 12, wherein presenting further includes authenticating the principal on receipt of the principal request to a principal identity.
 14. The method of claim 13, wherein receiving further includes evaluating a policy based on the principal identity to ensure the principal is permitted to access the selected secure resource.
 15. The method of claim 12, wherein identifying further includes maintaining a mapping between secure resource identifiers for the secure resources and machine identifiers for machines hosting the secure resources, wherein a specific secure resource identifier maps the selected secure resource to the current machine.
 16. The method of claim 12, wherein establishing further includes using a unique key identified for the current machine when establishing the connection.
 17. The method of claim 12, wherein establishing further includes providing an encrypted routing token to the client machine for establishing the connection with the current machine.
 18. A system, comprising: a proxy server; wherein the proxy server is configured to: i) authenticate a principal operating a client machine for access to a secure resource; ii) identify a current machine over a network having the secure resource by using a list of mapping identifiers that map the secure resource as being presently located on the current machine, iii) establish a secure connection between the client machine and the current machine for the principal to access the secure resource.
 19. The system of claim 18, wherein the proxy server is further configured in, iii), to: pass an encrypted routing token to the client machine having an Internet Protocol (IP) address of the current machine for the client machine to decrypt and securely connect to the current machine.
 20. The system of claim 19, wherein the proxy server is further configured in, ii), to: provide a principal identity for the principal and IP address for the client machine within the encrypted routing token.
 21. The system of claim 18, wherein the proxy server is further configured in, ii), to: obtain a key for connecting to the current machine based on a specific mapping identifier that identifies the current machine. 